tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-01 13:48:37 +02:00
Code Issues Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/3.0' into 3.1

Browse Source
This commit is contained in:
Sean Harvey 2014-08-22 17:50:36 +12:00
commit 0e07f1a7f5
8 changed files with 90 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
forms/Form.php
View File

@ -155,10 +155,6 @@ class Form extends RequestHandler {
'forTemplate', 'forTemplate',
); );
private static $casting = array(
'Message' => 'Text'
);
/** /**
* Create a new form, with the given fields an action buttons. * Create a new form, with the given fields an action buttons.
* *
@ -508,10 +504,10 @@ class Form extends RequestHandler {
* Add a plain text error message to a field on this form. It will be saved into the session * Add a plain text error message to a field on this form. It will be saved into the session
* and used the next time this form is displayed. * and used the next time this form is displayed.
*/ */
public function addErrorMessage($fieldName, $message, $messageType) { public function addErrorMessage($fieldName, $message, $messageType, $escapeHtml = true) {
Session::add_to_array("FormInfo.{$this->FormName()}.errors", array( Session::add_to_array("FormInfo.{$this->FormName()}.errors", array(
'fieldName' => $fieldName, 'fieldName' => $fieldName,
'message' => $message, 'message' => $escapeHtml ? Convert::raw2xml($message) : $message,
'messageType' => $messageType, 'messageType' => $messageType,
)); ));
} }
@ -1035,9 +1031,12 @@ class Form extends RequestHandler {
* *
* @param message the text of the message * @param message the text of the message
* @param type Should be set to good, bad, or warning. * @param type Should be set to good, bad, or warning.
* @param boolean $escapeHtml Automatically sanitize the message. Set to FALSE if the message contains HTML.
* In that case, you might want to use {@link Convert::raw2xml()} to escape any
* user supplied data in the message.
*/ */
public function setMessage($message, $type) { public function setMessage($message, $type, $escapeHtml = true) {
$this->message = $message; $this->message = ($escapeHtml) ? Convert::raw2xml($message) : $message;
$this->messageType = $type; $this->messageType = $type;
return $this; return $this;
} }
@ -1047,14 +1046,23 @@ class Form extends RequestHandler {
* *
* @param message the text of the message * @param message the text of the message
* @param type Should be set to good, bad, or warning. * @param type Should be set to good, bad, or warning.
* @param boolean $escapeHtml Automatically sanitize the message. Set to FALSE if the message contains HTML.
* In that case, you might want to use {@link Convert::raw2xml()} to escape any
* user supplied data in the message.
*/ */
public function sessionMessage($message, $type) { public function sessionMessage($message, $type, $escapeHtml = true) {
Session::set("FormInfo.{$this->FormName()}.formError.message", $message); Session::set(
"FormInfo.{$this->FormName()}.formError.message",
$escapeHtml ? Convert::raw2xml($message) : $message
);
Session::set("FormInfo.{$this->FormName()}.formError.type", $type); Session::set("FormInfo.{$this->FormName()}.formError.type", $type);
} }
public static function messageForForm( $formName, $message, $type ) { public static function messageForForm( $formName, $message, $type, $escapeHtml = true) {
Session::set("FormInfo.{$formName}.formError.message", $message); Session::set(
"FormInfo.{$formName}.formError.message",
$escapeHtml ? Convert::raw2xml($message) : $message
);
Session::set("FormInfo.{$formName}.formError.type", $type); Session::set("FormInfo.{$formName}.formError.type", $type);
} }

9
forms/FormField.php
View File

@ -93,10 +93,6 @@ class FormField extends RequestHandler {
*/ */
protected $attributes = array(); protected $attributes = array();
private static $casting = array(
'Message' => 'Text'
);
/** /**
* Takes a fieldname and converts camelcase to spaced * Takes a fieldname and converts camelcase to spaced
* words. Also resolves combined fieldnames with dot syntax * words. Also resolves combined fieldnames with dot syntax
@ -475,7 +471,10 @@ class FormField extends RequestHandler {
/** /**
* Sets the error message to be displayed on the form field * Sets the error message to be displayed on the form field
* Set by php validation of the form * Set by php validation of the form.
*
* @param string $message Message to show to the user. Allows HTML content,
* which means you need to use Convert::raw2xml() for any user supplied data.
*/ */
public function setError($message, $messageType) { public function setError($message, $messageType) {
$this->message = $message; $this->message = $message;

18
forms/gridfield/GridFieldDetailForm.php
View File

@ -527,7 +527,7 @@ class GridFieldDetailForm_ItemRequest extends RequestHandler {
$this->record->write(); $this->record->write();
$list->add($this->record, $extraData); $list->add($this->record, $extraData);
} catch(ValidationException $e) { } catch(ValidationException $e) {
$form->sessionMessage($e->getResult()->message(), 'bad'); $form->sessionMessage($e->getResult()->message(), 'bad', false);
$responseNegotiator = new PjaxResponseNegotiator(array( $responseNegotiator = new PjaxResponseNegotiator(array(
'CurrentForm' => function() use(&$form) { 'CurrentForm' => function() use(&$form) {
return $form->forTemplate(); return $form->forTemplate();
@ -544,11 +544,9 @@ class GridFieldDetailForm_ItemRequest extends RequestHandler {
// TODO Save this item into the given relationship // TODO Save this item into the given relationship
// TODO Allow HTML in form messages $link = '<a href="' . $this->Link('edit') . '">"'
// $link = '<a href="' . $this->Link('edit') . '">"' . htmlspecialchars($this->record->Title, ENT_QUOTES)
// . htmlspecialchars($this->record->Title, ENT_QUOTES) . '"</a>';
// . '"</a>';
$link = '"' . $this->record->Title . '"';
$message = _t( $message = _t(
'GridFieldDetailForm.Saved', 'GridFieldDetailForm.Saved',
'Saved {name} {link}', 'Saved {name} {link}',
@ -558,7 +556,7 @@ class GridFieldDetailForm_ItemRequest extends RequestHandler {
) )
); );
$form->sessionMessage($message, 'good'); $form->sessionMessage($message, 'good', false);
if($new_record) { if($new_record) {
return $controller->redirect($this->Link()); return $controller->redirect($this->Link());
@ -585,7 +583,7 @@ class GridFieldDetailForm_ItemRequest extends RequestHandler {
$this->record->delete(); $this->record->delete();
} catch(ValidationException $e) { } catch(ValidationException $e) {
$form->sessionMessage($e->getResult()->message(), 'bad'); $form->sessionMessage($e->getResult()->message(), 'bad', false);
return $this->getToplevelController()->redirectBack(); return $this->getToplevelController()->redirectBack();
} }
@ -598,9 +596,9 @@ class GridFieldDetailForm_ItemRequest extends RequestHandler {
$toplevelController = $this->getToplevelController(); $toplevelController = $this->getToplevelController();
if($toplevelController && $toplevelController instanceof LeftAndMain) { if($toplevelController && $toplevelController instanceof LeftAndMain) {
$backForm = $toplevelController->getEditForm(); $backForm = $toplevelController->getEditForm();
$backForm->sessionMessage($message, 'good'); $backForm->sessionMessage($message, 'good', false);
} else { } else {
$form->sessionMessage($message, 'good'); $form->sessionMessage($message, 'good', false);
} }
//when an item is deleted, redirect to the parent controller //when an item is deleted, redirect to the parent controller

5
security/MemberLoginForm.php
View File

@ -134,7 +134,6 @@ JS;
* Get message from session * Get message from session
*/ */
protected function getMessageFromSession() { protected function getMessageFromSession() {
parent::getMessageFromSession();
if(($member = Member::currentUser()) && !Session::get('MemberLoginForm.force_message')) { if(($member = Member::currentUser()) && !Session::get('MemberLoginForm.force_message')) {
$this->message = _t( $this->message = _t(
'Member.LOGGEDINAS', 'Member.LOGGEDINAS',
@ -143,6 +142,10 @@ JS;
); );
} }
Session::set('MemberLoginForm.force_message', false); Session::set('MemberLoginForm.force_message', false);
parent::getMessageFromSession();
return $this->message;
} }

46
tests/forms/FormTest.php
View File

@ -484,6 +484,52 @@ class FormTest extends FunctionalTest {
$this->assertContains('three="3"', $form->getAttributesHTML('one', 'two')); $this->assertContains('three="3"', $form->getAttributesHTML('one', 'two'));
} }
function testMessageEscapeHtml() {
$form = $this->getStubForm();
$form->Controller()->handleRequest(new SS_HTTPRequest('GET', '/'), DataModel::inst()); // stub out request
$form->sessionMessage('<em>Escaped HTML</em>', 'good', true);
$parser = new CSSContentParser($form->forTemplate());
$messageEls = $parser->getBySelector('.message');
$this->assertContains(
'&lt;em&gt;Escaped HTML&lt;/em&gt;',
$messageEls[0]->asXML()
);
$form = $this->getStubForm();
$form->Controller()->handleRequest(new SS_HTTPRequest('GET', '/'), DataModel::inst()); // stub out request
$form->sessionMessage('<em>Unescaped HTML</em>', 'good', false);
$parser = new CSSContentParser($form->forTemplate());
$messageEls = $parser->getBySelector('.message');
$this->assertContains(
'<em>Unescaped HTML</em>',
$messageEls[0]->asXML()
);
}
function testFieldMessageEscapeHtml() {
$form = $this->getStubForm();
$form->Controller()->handleRequest(new SS_HTTPRequest('GET', '/'), DataModel::inst()); // stub out request
$form->addErrorMessage('key1', '<em>Escaped HTML</em>', 'good', true);
$form->setupFormErrors();
$parser = new CSSContentParser($form->forTemplate());
$messageEls = $parser->getBySelector('#key1 .message');
$this->assertContains(
'&lt;em&gt;Escaped HTML&lt;/em&gt;',
$messageEls[0]->asXML()
);
$form = $this->getStubForm();
$form->Controller()->handleRequest(new SS_HTTPRequest('GET', '/'), DataModel::inst()); // stub out request
$form->addErrorMessage('key1', '<em>Unescaped HTML</em>', 'good', false);
$form->setupFormErrors();
$parser = new CSSContentParser($form->forTemplate());
$messageEls = $parser->getBySelector('#key1 .message');
$this->assertContains(
'<em>Unescaped HTML</em>',
$messageEls[0]->asXML()
);
}
protected function getStubForm() { protected function getStubForm() {
return new Form( return new Form(
new FormTest_Controller(), new FormTest_Controller(),

7
tests/security/SecurityTest.php
View File

@ -299,7 +299,7 @@ class SecurityTest extends FunctionalTest {
$member->LockedOutUntil, $member->LockedOutUntil,
'User does not have a lockout time set if under threshold for failed attempts' 'User does not have a lockout time set if under threshold for failed attempts'
); );
$this->assertContains($this->loginErrorMessage(), _t('Member.ERRORWRONGCRED')); $this->assertContains($this->loginErrorMessage(), Convert::raw2xml(_t('Member.ERRORWRONGCRED')));
} else { } else {
// Fuzzy matching for time to avoid side effects from slow running tests // Fuzzy matching for time to avoid side effects from slow running tests
$this->assertGreaterThan( $this->assertGreaterThan(
@ -346,8 +346,9 @@ class SecurityTest extends FunctionalTest {
$this->doTestLoginForm('sam@silverstripe.com' , 'incorrectpassword'); $this->doTestLoginForm('sam@silverstripe.com' , 'incorrectpassword');
} }
$this->assertNull($this->session()->inst_get('loggedInAs')); $this->assertNull($this->session()->inst_get('loggedInAs'));
$this->assertTrue( $this->assertContains(
false !== stripos($this->loginErrorMessage(), _t('Member.ERRORWRONGCRED')), $this->loginErrorMessage(),
Convert::raw2xml(_t('Member.ERRORWRONGCRED')),
'The user can retry with a wrong password after the lockout expires' 'The user can retry with a wrong password after the lockout expires'
); );